>> 5) moreover, in each branch, clients should be able to change
their passwords,

>>and Samba should be able to add machines to the database
automatically.
>>These changes should be added to the local machine (to save time
on a tight
>>bandwidth, prevent failures due to broken link etc.), which would
then be
>>transferred to the central server, and from there, to the rest of
the branch offices.

For the realtime solution - use the chaining overlay in OpenLDAP 2.2
to force the replicas to directly update the master when a client
performs a modification. This guarantees that changes will preserve
data consistency, and avoids the problems of client-side referral
chasing, but it requires that the master is reachable when a
modification is performed.

OK... I guess I'd use "realtime" solution then.

Could you pint me to some documentation on "chaining overlay"?
In the whole "OpenLDAP 2.2 Admirator's Guide" there is no such word as
"chaining", and there is only one word "chain", not very relevant to
this topic.

My mistake, the chaining overlay has not been released in OpenLDAP 2.2.
It is in CVS HEAD though. Basically it uses back-ldap to make slapd
chase referrals that the underlying database would otherwise try to send
to the client. As such, you should first read the slapd-ldap(5) manpage
and then have a look at this message:

You will also need a good understanding of Proxy Authorization, as
described in the 2.2 Admin Guide.

As I said, this will be only used for changing passwords / adding
machines, and as these are done rather seldom, it's OK if it's slow -
connsistecy is a priority here.

I thought of using referrals for that, but I'm not sure if it's
possible to use referrals just for write access:

1) passwords should be written to the master, and then replicated to
slaves,

2) on the other hand, passwords should be read from slaves located
locally - to provide fast access (and to prevent a situation when a
link to the master is broken, and noone can log in, as connecting to
master and getting password is impossible).

The chaining solution will accomplish the above. I expect that it will
be freshened up for OpenLDAP 2.3 along with a manpage but if you're
desperate to try it, it should work with 2.2.